Amazon Identity and Access Management中的角色Amazon ParallelCluster3.x - Amazon ParallelCluster
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Identity and Access Management中的角色Amazon ParallelCluster3.x

Amazon ParallelCluster使用Amazon Identity and Access Management(IAM) 角色,用于控制与Amazon部署到Amazon Web Services 账户. InAmazon ParallelCluster我们可以识别两种类型的 IAM 角色:调用 CLI 命令的用户担任的角色和与之关联的角色Amazon ParallelCluster资源,例如集群中启动的 EC2 实例。

默认情况下,Amazon ParallelCluster负责创建所有必需的 IAM 角色,这些角色都配置了所有必要的 IAM 角色Amazon ParallelCluster资源的费用。但是,调用各种Amazon ParallelCluster操作必须具有适当级别的权限来创建或修改所有必要资源。

使用现有 IAM 角色Amazon ParallelCluster

在创建集群或构建自定义 EC2 映像时,您可以使用现有的 IAM 角色。通常,您可以选择现有 IAM 角色来完全控制向其授予的权限。Amazon ParallelCluster资源和群集的用户。以下示例显示了两者都调用所需的 IAM 策略和角色Amazon ParallelCluster功能和自定义与集群 EC2 实例关联的权限。

在政策中,替换<REGION><Amazon ACCOUNT ID>,以及具有相应值的类似字符串。

Amazon ParallelCluster示例用户策略

这些区域有:Amazon ParallelCluster用户角色是指的是的用户担任的 IAM 角色Amazon ParallelClusterCLI。您将策略附加到用户角色。

调用所需的基本用户策略Amazon ParallelCluster功能

以下策略显示了运行所需的权限Amazon ParallelCluster命令。您必须创建管理 IAM 资源权限的策略用于创建集群。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Read" }, { "Action": [ "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AttachNetworkInterface", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DisassociateAddress", "ec2:ModifyLaunchTemplate", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolume", "ec2:ModifyVolumeAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2Write" }, { "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTagsOfResource", "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:TagResource" ], "Resource": "arn:aws:dynamodb:*:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow", "Sid": "DynamoDB" }, { "Action": [ "route53:ChangeResourceRecordSets", "route53:ChangeTagsForResource", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetChange", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:ListQueryLoggingConfigs" ], "Resource": "*", "Effect": "Allow", "Sid": "Route53HostedZones" }, { "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "cloudwatch:PutDashboard", "cloudwatch:ListDashboards", "cloudwatch:DeleteDashboards", "cloudwatch:GetDashboard" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:GetPolicy", "iam:SimulatePrincipalPolicy", "iam:GetInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/*", "arn:aws:iam::aws:policy/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/*" ], "Effect": "Allow", "Sid": "IamRead" }, { "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamInstanceProfile" }, { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "fsx.amazonaws.com", "s3.data-source.lustre.fsx.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunctionConfiguration", "lambda:GetFunction", "lambda:InvokeFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:UpdateFunctionConfiguration" ], "Resource": [ "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:parallelcluster-*", "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:pcluster-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::parallelcluster-*", "arn:aws:s3:::aws-parallelcluster-*" ], "Effect": "Allow", "Sid": "S3ResourcesBucket" }, { "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::*-aws-parallelcluster*", "Effect": "Allow", "Sid": "S3ParallelClusterReadOnly" }, { "Action": [ "fsx:*" ], "Resource": [ "arn:aws:fsx:*:<Amazon ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "FSx" }, { "Action": [ "elasticfilesystem:*" ], "Resource": [ "arn:aws:elasticfilesystem:*:<Amazon ACCOUNT ID>:*" ], "Effect": "Allow", "Sid": "EFS" }, { "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogGroups", "logs:CreateLogGroup", "logs:FilterLogEvents", "logs:GetLogEvents", "logs:CreateExportTask", "logs:DescribeLogStreams", "logs:DescribeExportTasks" ], "Resource": "*", "Effect": "Allow", "Sid": "CloudWatchLogs" } ] }

使用时的其他用户策略Amazon Batch计划程序

如果你需要创建和管理集群Amazon Batch调度程序需要以下附加策略。

{ "Version": "2012-10-17", "Statement": [ { "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamPassRole" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/aws-service-role/batch.amazonaws.com/*" ], "Effect": "Allow" }, { "Action": [ "codebuild:*" ], "Resource": "arn:aws:codebuild:*:<Amazon ACCOUNT ID>:project/pcluster-*", "Effect": "Allow" }, { "Action": [ "ecr:*" ], "Resource": "*", "Effect": "Allow", "Sid": "ECR" }, { "Action": [ "batch:*" ], "Resource": "*", "Effect": "Allow", "Sid": "Batch" }, { "Action": [ "events:*" ], "Resource": "*", "Effect": "Allow", "Sid": "AmazonCloudWatchEvents" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:ListContainerInstances" ], "Resource": "*", "Effect": "Allow", "Sid": "ECS" } ] }

使用的用户策略Amazon ParallelCluster映像生成功能

打算使用创建自定义 EC2 映像的用户Amazon ParallelCluster将需要拥有以下一组权限。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeImages", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DeregisterImage", "ec2:DeleteSnapshot" ], "Resource": "*", "Effect": "Allow", "Sid": "EC2" }, { "Action": [ "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:GetInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/ParallelClusterImage*", "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAM" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "lambda.amazonaws.com", "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IAMPassRole" }, { "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:*:<Amazon ACCOUNT ID>:log-group:/aws/imagebuilder/ParallelClusterImage-*", "arn:aws:logs:*:<Amazon ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "CloudWatch" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": [ "arn:aws:cloudformation:*:<Amazon ACCOUNT ID>:stack/*" ], "Effect": "Allow", "Sid": "CloudFormation" }, { "Action": [ "lambda:CreateFunction", "lambda:GetFunction", "lambda:AddPermission", "lambda:RemovePermission", "lambda:DeleteFunction" ], "Resource": [ "arn:aws:lambda:*:<Amazon ACCOUNT ID>:function:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "Lambda" }, { "Action": [ "imagebuilder:Get*" ], "Resource": "*", "Effect": "Allow", "Sid": "ImageBuilderGet" }, { "Action": [ "imagebuilder:CreateImage", "imagebuilder:TagResource", "imagebuilder:CreateImageRecipe", "imagebuilder:CreateComponent", "imagebuilder:CreateDistributionConfiguration", "imagebuilder:CreateInfrastructureConfiguration", "imagebuilder:DeleteImage", "imagebuilder:DeleteComponent", "imagebuilder:DeleteImageRecipe", "imagebuilder:DeleteInfrastructureConfiguration", "imagebuilder:DeleteDistributionConfiguration" ], "Resource": [ "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:image/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:image-recipe/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:component/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "arn:aws:imagebuilder:*:<Amazon ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*" ], "Effect": "Allow", "Sid": "ImageBuilder" }, { "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource": [ "arn:aws:s3:::parallelcluster-*" ], "Effect": "Allow", "Sid": "S3Bucket" }, { "Action": [ "sns:GetTopicAttributes", "sns:TagResource", "sns:CreateTopic", "sns:Subscribe", "sns:Publish", "SNS:DeleteTopic", "SNS:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:<Amazon ACCOUNT ID>:ParallelClusterImage-*" ], "Effect": "Allow", "Sid": "SNS" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*/*" ], "Effect": "Allow", "Sid": "S3Objects" }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/imagebuilder.amazonaws.com/AWSServiceRoleForImageBuilder", "Condition": { "StringLike": { "iam:AWSServiceName": "imagebuilder.amazonaws.com" } } } ] }

用于管理 IAM 资源的用户策略

使用时Amazon ParallelCluster要创建群集或自定义 AMI,需要提供 IAM 策略和角色才能向各个Amazon ParallelCluster组件。这样的 IAM 资源可以自动创建Amazon ParallelCluster或者在创建群集或自定义映像资源时需要作为输入提供。

根据授予的其他 IAM 策略Amazon ParallelCluster用户我们可以启用以下使用案例:

特权 IAM 访问模式

使用此模式Amazon ParallelCluster负责自动创建所有必要的 IAM 资源。将创建 IAM 资源委托给Amazon ParallelCluster包括 IAM 策略的范围缩小到仅允许访问群集资源。

要启用特权 IAM 访问模式,请将以下策略添加到Amazon ParallelCluster用户角色。

注意

如果你配置HeadNode/Iam/AdditionalPolicies要么Scheduling/SlurmQueues/Iam/AdditionalPolicies参数中,您必须为每个附加策略提供用户附加和分离角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。

警告

此模式使用户可以在Amazon Web Services 账户

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }

受限 IAM 访问模式

如果没有向Amazon ParallelCluster用户、群集或自定义映像构建所需的 IAM 角色需要由 IAM 管理员手动创建并作为资源配置的一部分进行传递。

创建集群时,需要以下参数:

构建自定义映像时,需要以下参数:

作为上述参数的一部分传递的 IAM 角色必须在/parallelcluster/路径前缀。如果不可能这样做Amazon ParallelCluster用户策略需要更新d 以授予iam:PassRole对特定自定义角色的权限,如下面的示例所示。

{ "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "ec2.amazonaws.com", "spotfleet.amazonaws.com", "batch.amazonaws.com", "codebuild.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ <list all custom IAM roles> ], "Effect": "Allow", "Sid": "IamPassRole" }
警告

目前这种模式不允许管理Amazon Batch群集因为并非所有 IAM 角色都可以在群集配置中传递。

PermissionsBoundary模式

此模式委托Amazon ParallelClusterIAM 角色的创建,但是这些角色绑定到配置的 IAM 权限边界。有关 IAM 权限限的更多信息,请参阅IAM 实体的权限边界中的IAM 用户指南.

以下策略需要添加到Amazon ParallelCluster用户角色。

在政策中,替换<permissions-boundary-arn>将 IAM 策略 ARN 作为权限边界强制执行。

警告

如果配置HeadNode/Iam/AdditionalPolicies要么Scheduling/SlurmQueues/Iam/AdditionalPolicies参数,您必须向用户授予附加和分离每个其他策略的角色策略的权限,如以下策略所示。将其他策略 ARN 添加到附加和分离角色策略的条件中。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteRole", "iam:TagRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [ <permissions-boundary-arn> ] } }, "Action": [ "iam:CreateRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*" ], "Effect": "Allow", "Sid": "IamCreateRole" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [ <permissions-boundary-arn> ] } }, "Action": [ "iam:PutRolePolicy", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamInlinePolicy" }, { "Condition": { "StringEquals": { "iam:PermissionsBoundary": [ <permissions-boundary-arn> ] }, "ArnLike": { "iam:PolicyARN": [ "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster*", "arn:aws:iam::<Amazon ACCOUNT ID>:policy/parallelcluster/*", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", "arn:aws:iam::aws:policy/AWSBatchFullAccess", "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" ] } }, "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow", "Sid": "IamPolicy" } ] }

启用此模式后,必须在通过Iam/PermissionsBoundaryconfig 参数以及通过Build/Iam/PermissionBoundary参数。

Amazon ParallelCluster控制 IAM 权限的参数

Amazon ParallelCluster公开了一系列配置选项来控制和自定义集群中或自定义 AMI 创建过程中使用的 IAM 角色。

集群配置

主节点 IAM 角色

HeadNode / Iam / InstanceRole | InstanceProfile

此选项允许覆盖分配给群集头节点的 IAM 角色。有关其他详细信息,请参阅InstanceProfile引用。

以下是调度程序为 Surm 时用作此角色的一部分的最小策略集:

  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 。创建 IAM 角色和用户以用于CloudWatch代理人中的亚马逊CloudWatch用户指南.

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 。Amazon适用于 的托管策略Amazon Systems Manager中的Amazon Systems Manager用户指南.

  • 其他 IAM 策略:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*", "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:BatchWriteItem" ], "Resource": "arn:aws:dynamodb:<REGION>:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Action": "ec2:TerminateInstances", "Resource": "*", "Effect": "Allow" }, { "Action": "ec2:RunInstances", "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "route53:ChangeResourceRecordSets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }

请注意,以防万一Scheduling / SlurmQueues / Iam / InstanceRole用于覆盖计算 IAM 角色,上面报告的头节点策略需要在Resource的 部分iam:PassRole权限。

以下是调度程序时,作为此角色的一部分使用的最小策略集Amazon Batch:

  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 。创建 IAM 角色和用户以用于CloudWatch代理人中的亚马逊CloudWatch用户指南.

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 。Amazon适用于 的托管策略Amazon Systems Manager中的Amazon Systems Manager用户指南.

  • 其他 IAM 策略:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ], "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::dcv-license.<REGION>/*", "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "batch.amazonaws.com" ] } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*" ], "Effect": "Allow" }, "Action": [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:ListJobs", "batch:DescribeComputeEnvironments" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "batch:SubmitJob", "batch:TerminateJob", "logs:GetLogEvents", "ecs:ListContainerInstances", "ecs:DescribeContainerInstances", ], "Resource": [ "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/batch/job:log-stream:PclusterJobDefinition*", "arn:aws:ecs:<REGION>:<Amazon ACCOUNT ID>:container-instance/AWSBatch-PclusterComputeEnviron*", "arn:aws:ecs:<REGION>:<Amazon ACCOUNT ID>:cluster/AWSBatch-Pcluster*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job-queue/PclusterJobQueue*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job-definition/PclusterJobDefinition*:*", "arn:aws:batch:<REGION>:<Amazon ACCOUNT ID>:job/*" ], "Effect": "Allow" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeVolumes", "ec2:DescribeInstanceAttribute" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:CreateTags", "ec2:AttachVolume" ], "Resource": [ "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:instance/*", "arn:aws:ec2:<REGION>:<Amazon ACCOUNT ID>:volume/*" ], "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }

访问 Amazon S3

HeadNode/Iam/S3Access要么Scheduling/SlurmQueues/S3Access

此配置部分允许自定义 Amazon S3 访问权限,方法是向与群集的头节点或计算节点关联的 IAM 角色授予额外的 Amazon S3 策略,当这些角色由Amazon ParallelCluster. 有关更多信息,请参阅每个配置参数的参考文档。

只有在Amazon ParallelCluster用户已在中配置特权 IAM 访问模式要么PermissionsBoundary模式.

其他 IAM 策略

HeadNode/Iam/AdditionalIamPolicies要么SlurmQueues/Iam/AdditionalIamPolicies

使用此选项可以将其他托管 IAM 策略附加到与群集的头节点或计算节点关联的 IAM 角色(当这些角色由Amazon ParallelCluster.

警告

要使用此选项,请确保Amazon ParallelCluster用户被授予iam:AttachRolePolicyiam:DetachRolePolicy需要附加的 IAM 策略的权限。

Amazon Lambda函数角色

Iam / Roles / LambdaFunctionsRole

该选项会覆盖所有附加的角色Amazon Lambda集群创建过程中使用的函数。Amazon Lambda需要将其配置为允许担任角色的委托人。

以下是作为此角色的一部分要使用的最小策略集:

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets" ], "Resource": "arn:aws:route53:::hostedzone/*", "Effect": "Allow" }, { "Action": ["logs:CreateLogStream", "logs:PutLogEvents"], "Effect": "Allow", "Resource": "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/lambda/pcluster-*" }, { "Action": "ec2:DescribeInstances", "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:TerminateInstances", "Condition": { "StringEquals": { "ec2:ResourceTag/parallelcluster:node-type": "Compute" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:ListBucketVersions" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::parallelcluster-*-v1-do-not-delete", "arn:aws:s3:::parallelcluster-*-v1-do-not-delete/*" ] }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }

计算节点 IAM 角色

Scheduling / SlurmQueues / Iam / InstanceRole | InstanceProfile

此选项允许覆盖分配给集群计算节点的 IAM 角色。有关更多信息,请参阅 InstanceProfile

以下是作为此角色的一部分要使用的最小策略集:

  • arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy托管的 IAM 策略。有关更多信息,请参阅 。创建 IAM 角色和用户以用于CloudWatch代理人中的亚马逊CloudWatch用户指南.

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 。Amazon适用于 的托管策略Amazon Systems Manager中的Amazon Systems Manager用户指南.

  • 其他 IAM 策略:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "dynamodb:Query" ], "Resource": "arn:aws:dynamodb:<REGION>:<Amazon ACCOUNT ID>:table/parallelcluster-*", "Effect": "Allow" }, { "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::<REGION>-aws-parallelcluster/*" ], "Effect": "Allow" }, { "Action": "ec2:DescribeInstanceAttribute", "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<REGION>:<Amazon ACCOUNT ID>:secret:<SECRET_ID>", "Effect": "Allow" } ] }

权限边界

Iam / PermissionsBoundary

此参数强制Amazon ParallelCluster将给定的 IAM 策略作为PermissionsBoundary转到作为集群部署一部分创建的所有 IAM 角色。

请参阅PermissionsBoundary模式查看所需的策略列表Amazon ParallelCluster用户可以使用此类功能。

自定义映像配置

EC2 Image Builder 的实例角色

Build / Iam / InstanceRole | InstanceProfile

此选项允许覆盖分配给 EC2 Image Builder 启动的 EC2 实例以创建自定义 AMI 的 IAM 角色。

以下是作为此角色的一部分要使用的最小策略集:

  • arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore托管的 IAM 策略。有关更多信息,请参阅 。Amazon适用于 的托管策略Amazon Systems Manager中的Amazon Systems Manager用户指南.

  • arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder托管的 IAM 策略。有关更多信息,请参阅 。EC2InstanceProfileForImageBuilder政策中的Image Builder 用户指南.

  • 其他 IAM 策略:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:ModifyImageAttribute" ], "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" } ] }

Amazon Lambda清除角色

Build / Iam / CleanupLambdaRole

该选项会覆盖所有附加的角色Amazon Lambda在自定义映像构建过程中使用的函数。Amazon Lambda需要将其配置为允许担任角色的委托人。

以下是作为此角色的一部分要使用的最小策略集:

  • arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole托管的 IAM 策略。有关更多信息,请参阅 。AmazonLambda 功能的托管策略中的Amazon Lambda开发人员指南.

  • 其他 IAM 策略:

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:role/parallelcluster/*", "Effect": "Allow" }, { "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::<Amazon ACCOUNT ID>:instance-profile/parallelcluster/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteInfrastructureConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:infrastructure-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteComponent" ], "Resource": [ "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:component/parallelclusterimage-*/*" ], "Effect": "Allow" }, { "Action": "imagebuilder:DeleteImageRecipe", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:image-recipe/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "imagebuilder:DeleteDistributionConfiguration", "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:distribution-configuration/parallelclusterimage-*", "Effect": "Allow" }, { "Action": [ "imagebuilder:DeleteImage", "imagebuilder:GetImage", "imagebuilder:CancelImageCreation" ], "Resource": "arn:aws:imagebuilder:<REGION>:<Amazon ACCOUNT ID>:image/parallelclusterimage-*/*", "Effect": "Allow" }, { "Action": "cloudformation:DeleteStack", "Resource": "arn:aws:cloudformation:<REGION>:<Amazon ACCOUNT ID>:stack/*/*", "Effect": "Allow" }, { "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:<REGION>::image/*", "Effect": "Allow" }, { "Action": "tag:TagResources", "Resource": "*", "Effect": "Allow" }, { "Action": [ "lambda:DeleteFunction", "lambda:RemovePermission" ], "Resource": "arn:aws:lambda:<REGION>:<Amazon ACCOUNT ID>:function:ParallelClusterImage-*", "Effect": "Allow" }, { "Action": "logs:DeleteLogGroup", "Resource": "arn:aws:logs:<REGION>:<Amazon ACCOUNT ID>:log-group:/aws/lambda/ParallelClusterImage-*:*", "Effect": "Allow" }, { "Action": [ "SNS:GetTopicAttributes", "SNS:DeleteTopic", "SNS:GetSubscriptionAttributes", "SNS:Unsubscribe" ], "Resource": "arn:aws:sns:<REGION>:<Amazon ACCOUNT ID>:ParallelClusterImage-*", "Effect": "Allow" } ] }

其他 IAM 策略

Build / Iam / AdditionalIamPolicies

您可以使用此选项将其他托管 IAM 策略附加到与 EC2 Image Builder 用于生成自定义 AMI 的 EC2 实例关联的角色。

警告

要使用此选项,请确保Amazon ParallelCluster用户被授予iam:AttachRolePolicyiam:DetachRolePolicy需要附加的 IAM 策略的权限。

权限边界

Build / Iam / PermissionsBoundary

此参数强制Amazon ParallelCluster将给定的 IAM 策略作为PermissionsBoundary转到作为自定义 AMI 构建的一部分创建的所有 IAM 角色。

请参阅PermissionsBoundary模式查看使用此类功能所需的策略列表。